Joining the Mothership!
After a really enjoyable year with Triangle I received an awesome (& unusual) chance to join VMware.

I’ve signed up to be a Senior Consultant (SDDC) covering the Middle East & North Africa (MENA), a pretty large region that will certainly help clock up the air miles! It’s a big life change in so many ways… After 10 years contracting this will be my first permanent role, my family will be moving nearly 6000km from Dublin to Dubai, and we will have new lifestyles, cultures & customs to embrace. I certainly wasn’t expecting to be packing up our home and becoming an expat when the year started!

I want to thank Triangle for giving me some great opportunities during the year. It was very much an enjoyable experience getting to work with their client base and getting to design & implement solutions around so much of the VMware product stack. Not once did I dread getting up & going to work which is a real sign of an enjoyable job!

VMware NSX for vSphere 6.3 has been released today and with it comes a host of new bells and whistles:

vSphere 6.5 Support

VMware Integrated Containers Support

Centralised dashboard for Services and Operations

Faster Upgrades

Future NSX Manager upgrades will no longer require a reboot. VMware claim this will mean upgrades are 5 times quicker. How that claim is measured will be tested when NSX 6.3.1 drops!

Universal Security Tags

In previous releases when dealing with a multi-site, multi-vCenter deployment the only options for Dynamic Security Policies for DFW rules were to use either MAC address or IP lists. With this release the concept of universal security tags will allow for dynamic rulesets for the implementation of DFW rules across multiple vCenter/NSX deployments.

Branch Office

To bring NSX to highly dispersed environments beyond the datacenter VMware is introducing a special SKU based on Per VM licencing to fit that model. This is something I’ve been hoping for as a lot of customers don’t have the VM density per host to justify the per socket cost of NSX.

Increased vCloud Director support

As part of the NSX 6.3 release the foundations have been laid for vCloud NFV customers and Service Providers to provide advanced NSX functionality as part of a self-service platform. The list of capabilities to be exposed in vCloud Director has not been released but I’d be surprised if micro-segmentation wasn’t one of these capabilities (only speculation of course as I’m not privy to that information!)

Integration with vRA 7.2

There are now additional enhancements relating to the consumption of NSX load balancers and NAT functionality

Licencing

Announced as part of the press release is that customers who already own valid NSX licences are now entitled to use either NSX for vSphere or NSX-T in their environments (as long as they stay within their licensed limits of course!)

Customer Base Has Grown

VMware NSX finished 2016 with more than 2,400 customers!

Training and Certification

VMware has said that there has been over 11,000 professionals who have attended NSX training and there are now more than 7,000 NSX certified professionals worldwide.

The VCAP6-NV Deploy exam is very similar to the original VCIX-NV and from a casual review of the blueprint the only major item added has been multi-site NSX. The main ‘spoiler’ I can give for the exam is that of all the blueprint items there were roughly 3-4 small items that weren’t asked. In the older VCIX-NV there were a few items on that blueprint that you would look at and pretty much be certain that it couldn’t possibly be asked in an exam setting however this time everything was possible. Whomever came up with the exam environment should get a pat on the back, the layout is superbly thought out and, for the most part, no longer dependent on previous questions being completed successfully for latter questions to be attempted.

Of the 4 VCAPs I’ve taken so far this year the NV exam was the toughest. The quantity of questions and the tasks themselves required absolute concentration to the point I was mentally drained coming out of the exam.
Tips:

As with all networking exams (CCNA or NSX) before I click start, I write down a netmask/cidr conversion table. I do this so I’m not having to do mental arithmetic whilst second guessing myself in the middle of a question.

Open the C# client and use where practical, as much as the web-client is the future there’s still plenty of day-to-day tasks that are quicker to do in the fat client.

Open two web-client sessions to each vCenter. One for NSX tasks and the other for any vSphere tasks you can’t do in the fat client

Honestly don’t expect to pass just because you’re a vSphere god. You need a CCNA level of knowledge to troubleshoot some of the questions. Routing, subnets and a basic understanding of the OSI model is a must if you’re aiming to deploy NSX in real life so it logically stands that the deployment exam will require a basic understanding of the fundamentals.

In my exam I had repeating keystrokes which was mightily annoying for typing passwords. The staff at the test center reset my exam connection and while the issue wasn’t nearly as bad it did improve things to the point I could get the tasks done (with a dose of patience).

With all the will in the world it’s pretty difficult to replicate the exam environment in a home lab. Use the VMware Hands On Labs liberally.

Watch your SPELLING!!! As far as I’m aware the exams are corrected via script. You may build out a perfect solution to a question but if you screw up on the naming of a logical switch or edge router I wouldn’t be too confident of getting high marks at the end.

When I sat the VCIX-NV I had to wait nearly 2 weeks for the result. These days it’s only a few hours. Thankfully I passed!

I’ve managed to squeeze in a couple of VMware VCAP exams this month. The first of which was the VCAP6-DCV Deploy exam (the old DCA) in New Horizons in Dublin city center. A three hour experience that is only for those admins who enjoy pain and suffering the challenge of fixing very broken vSphere environments.

The lab itself was well laid out and the control center Windows desktop was very responsive. The overlay of the questions made the whole experience feel like a VMware Hands On Lab to the point that when I first looked at the screen my heart stopped as I thought that it was a HOL and not the exam! Check out the Dave Davis’s blog post on how the deploy exam is laid out on screen.

There was also no screen refresh lag! For my DCA there were constant screen refresh issues and every click had to be thought through. This time the whole lab was responsive, tasks executed quickly and even the web-client didn’t crash once!

The questions themselves were a mix of real life BAU and also the rare one-off config changes you’d usually make when initially deploying an environment. My notes I took after the exam reads as a list of pretty straightforward tasks but in the context of time pressure it’s not so easy.

Tips:

Be well fed and rested prior to the exam. In the build up to a VCP or VCAP it can be all too easy to just keep looking through notes, Pluralsight videos or playing in a lab. While this is perfectly fine it’s also a 3hr exam that is mentally exhausting as you try to remember the sub-sub-sub-menu item in the web-client you need or the right esxcli command.

Use the C# client liberally. Don’t use the web-client unless the task requires it. I’ve heard of people sitting the VCAP5.5 exam and thinking they must only use the web-client, don’t, you’ll run out of time and risk failing the exam. I’ve said it in multiple forums, the vSphere web-client is not fit for purpose especially in situations where you have to fix something quickly.

Most of the blueprint was asked in some way. Know how to do it all and the exam will be just a battle against time.

If a question is outside your comfort zone then mark it down and move on. Get a first pass through the questions and then come back to the more challenging questions. Hopefully you’ll have plenty of time left to look up documentation and answer the tougher questions.

I received the result via email within an hour of finishing the exam and passed thankfully!

On Friday I got the good news that I made it onto the VMware vExpert NSX program for 2016. This particular program is for current vExperts who have a passion for NSX to gain insight into what is coming down the pipeline and help provide feedback where possible on the product. Currently there are over 1300 VMware vExperts worldwide and given the many solutions VMware provides it’s a positive move to target information to particular groups and given more targeted information to share with the wider IT community. This is the first time the vExpert program has created a product specific sub-program and it will be interesting to see if there will be further vExpert programs for Cloud or Desktop.

With NSX Transformers having gone GA in May and NSX bringing extra functionality with every single point release I’m hoping myself and the 115 other NSX vExperts will be keeping busy this year!

I recent sat the VCAP6-CMA Design beta and thought it might be worth writing up a few words on the experience. The beta is under NDA so please don’t expect a brain dump here, I enjoy sitting certification exams and I have no interest in getting barred from sitting others just to have a few extra page hits on my blog! (Sorry!) I have already sat the VCAP5 DCD & CID exams so the exam itself wasn’t as daunting as my first time taking them as I knew what to expect.
The difference this time around for me was:
1. There was no multiple choice questions. It was drag & drop style questions with plenty of Visio questions mixed in.
2. The exam was 4 hours long however the actual exam is likely to be 2-2.5 hours long when it goes GA.
3. I could go forward and back between questions which was very useful when I figured I might have screwed up an earlier question. It also was a way to validate that I’d joined all the elements in the visio questions the way I wanted.
4. Some of the questions were slam dunks and others were mightily perplexing. Not from the point of view of not having studied enough but from either the odd misspelling or the instructions that begged for a little more context.
5. If you have sat the VCP6-Cloud/CMA exam you’re probably well aware of certain obsessions the question setters loved to ask about. More of the same I’m afraid!
6. The exam itself is one of the most ‘do-able’ design exams I’ve had yet and if you know your stuff you’ll breeze through it. There’s no nasty questions really, just some unclear ones but I’m hoping my comments that I left during the exam will be read and acted upon for the good of future test takers.
7. Was it a good test of design knowledge? Well it will validate your knowledge of how vRA is put together and how it interlinks with each component. I think the DCV Design exam validates actual design principles a lot more than the CMA version. It might be controversial but I also think the multiple choice questions had a place in the exam. They tended to be able to ask a lot more probing questions and allowed far more items in the blueprint to to questioned. [I fear that I’m going to regret that statement if they add them back into the VCAP7 Design exams!]
8. Is this exam actually worthwhile? It’s based on 6.x but 7.0 has already been released. The exam validates a general vRA knowledge but some questions would be answered somewhat differently if it was a vRA 7.0 exam. I’m not so sure this exam should have been released based on 6.x but it has and it’s unlikely to be changed in this calendar year so no point in whinging about it! 😉
9. I wish to morn the lack of VCD questions. There is some vCloud Air and VCD references but if you’re a vCloud Air Partner then this exam won’t validate your staff or prospective employee’s knowledge which I think is a bit of a shame. VCD is making a quiet comeback after the Virtustream debacle and I think there’s still a place for it in a certification track.

Did I pass? I honestly don’t know! If I didn’t pass I’m pretty sure I’ll pass the second time as I’ve a sure fire knowledge of the types of questions asked. There’s been exams I thought I barely scraped a pass on and ended up with high marks and then others I thought I nailed and had barely passed. There was nearly 40 design questions over the 4 hours but in some documents I saw online it stated about half that number of questions will be on the actual exam so I won’t know which questions will get pulled from the beta and carry on to the GA version.

To sum up it’s not an exam it be feared if you’ve already worked on a real vRA 6.x deployment. If you haven’t then you really need to study hard all the reference documentation thoroughly and study every diagram meticulously!

This week has been pretty heavy on demonstrating NSX and its various security capabilities. One of capabilities that is the slightly ignored is the inbuilt DLP capabilities for finding private data such as credit card numbers, SWIFT codes, VAT numbers, driving licence ID numbers etc on deployed VMs. Usually most conversations around NSX are about Microsegmentation and the L7 deep packet inspection capabilities that will help with Data Leakage however I’d like to point out there is yet another side to the product namely the Guest Introspection & Data Security services.

One of the usual threats customers can have is insider threats where an employee or contractor may copy sensitive data from a main server and leave it on their desktop to do with what they will at a later stage. If you are using NSX within a Horizon VDI deployment with NSX underneath then it’s only a matter of a few clicks and you’ll be able to keep track of where your sensitive data is on your infrastructure. From a real world experience I’ve seen text files of customer banking details being left on unsecured fileshares without the proper permissions structure (by accident) but in the wrong hands it would have been enough to trigger a trip to the Data Protection Commissioner and get scolded and fined for such a security breach. This one NSX service would have caught that file and potential data breach.

I certainly am not claiming the out of the box capabilities are as good as third party security tooling however when you have the capability to secure your data at no added cost to you as part of your NSX deployment you’d be foolish not to try it out and see the results!

You will find below a handful of screenshots showing the simple steps I took to deploy these capabilities and the results.

These services are native to the NSX platform and require no special licences. They are deployed on the next tab along from where you would configure vxlan. The deployment is simple and at most requires an IP Pool or DHCP scope to be available.

Once deployed you will hopefully see that the installation has succeeded and the services are ‘Up’.

So at this point you have simply deployed a couple of service VMs on each host that aren’t doing a hell of a lot. What you now need to do is decide on what VMs in your environment you want to monitor and create a Security Group in Service Composer to match those VMs. In my case I simply wanted to scan the Windows 7 VMs in my lab so my Security Group was dynamically created based on the VM OS being Windows 7!

Next was actually setting up a Security Policy which again was pretty straightforward.

As you can see from the screenshot I am looking to find some credit card data one the VMs. Once this security policy is created it needs to be applied to the security group you wish to scan. This is done just like if you were applying firewall polices to a security group.

The final step to setup the scanning for my credit card data is to configure the elements of the data security tab in the NSX manager.

As you can see I was scanning for certain types of credit card and financial details within a myriad of file types. There are plenty of other data types preconfigured within the system but at this point I haven’t spotted how to add other RegEx formats (probably just need to RTFM!).

So what were the results of setting the policy? Well other than a false positive within an Adobe Reader cab file it picked up my Visa, MasterCard and Swift banking codes in some text files I left on my W7 desktop.

Today I start my new role as a Technical Architect Consultant with Triangle specialising in Datacenter Automation.

Triangle have been a VMware Partner for over 10 years and they were recently made one of 13 Elite partners worldwide for their work with delivering SDDC solutions.

How I first encountered Triangle was as a customer back in 2008 when they were hired to conduct an assessment of our production environment to see what we could virtualise. At the time I found them to be knowledgeable and easy to work with and based on more recent experiences with talking to Donal, Miriam & Christian there is still that ambition to help solve problems for customers and deliver a quality solution.

Having worked in various large 24×7 enterprises for the last 9 years the time was right to move into a customer facing design and implementation role where I could bring my knowledge and experience to a wider set of clients. I’m also very much looking forward to working with the new team and learning from them.

After 3 years & over 100,000 deployed VMs it’s time to move on. Amongst all the project work and cool tech I had the fortune to use I got to make some really good friends and probably the odd enemy but hey that’s life…
I’d like to think I’ve embraced the 5 Betfair values (Will to Win, Pace, Respect, Smart & Disciplined). Certainly working at pace in an agile environment you learn to roll with the punches and start to expect the unexpected! Almost every 2 weeks we were set automation challenges that had never been done before, those late nights with the guys writing code and testing it to death made us firm friends with a level of respect and trust that can only be earned through cold pizza & Nerf guns. Even after most of the team left we’re still in constant contact swapping war stories and keeping tabs on each others’ families.
We wouldn’t have succeeded in delivering what we did without the incredible support of Ronan, Scott, Brendan & the management in VMware GSS in Cork. The number of P1 & P2 tickets they reacted to was absurd and yet helped us deliver solutions at a ridiculous pace. The vCAC, VCO, AppD & NSX teams also deserve a solid pat on the back for helping us deliver what we did.
So farewell Betfair… I wish you all the best with the imminent merger with Paddy Power. With the inrush of two pretty amazing IT teams it’s going to be an awesome talent pool!
What’s next? Well that deserves another blog post in a couple of days time…